Description

The Fuelet wallet backs up the user's private keys to Apple iCloud and Google Drive. It encrypts this data with the aesPassword value. However, this value is compiled (obfuscated) into the app and is shared between all users. Thus, the cloud backups are effectively stored unencrypted.

The password is hardcoded in fuelet/lib/env/env.dart:

@Envied(path: '.env', obfuscate: true)
abstract class Env {
  @EnviedField(varName: 'AES_PASSWORD')
  static final String aesPassword = _Env.aesPassword;
// ...

The cloud-backup encryption occurs in fuelet_secure_layer/packages/fuelet_secure_layer /lib/src/features/cloud_backup/entity/backup_accouts_dto.dart:

Future<String> toRawJson(String password) async {
  final Map<String, String> encryptedAccounts = {};

  for (var key in backupAccounts.keys) {
    encryptedAccounts[key] =
        await Aes256GcmUtils.encrypt(backupAccounts[key]!, password);
  }

  return jsonEncode(encryptedAccounts);
}

Impact

This issue allows an attacker with access to the user's Apple/Google account to compromise their Fuelet wallet.

Recommendations

The Fuelet team should encrypt cloud backups with the user's app password or add a new backup password that the user may enter.

Remediation

This issue has been acknowledged by Fuelet Wallet, and a fix was implemented in commit ea46b33↗.